On 26/9/2015 10:34 μμ, Gert Doering wrote: > I wonder if just pre-setting all the NAT mappings wouldn't be much > easier? So, you know that your server is handing out 192.168.1.x - so > why not just initialize the SNAT so that ever .x address is NATted > to .150+(x mod 6) and done? > > (Now I'm prone myself to do fancy scripts for stuff, but then I'm also > totally lazy, so if there is an easy way... :-) ) > > gert >
Yes, that could be done of course. Each approach has its advantages. That solution has the advantage of a more static configuration, zero connect/disconnect effort (no scripts to create and run), and permanent private-public IP Address mappings (traceability). Yet, you can't exclude the possibility of having users using the same public IP Address, even if there are few of them concurrently connected, thus resulting in possible poor performance for them. On the other hand, the solution I currently use guarantees that each connected user will have a separate public IP Address until the pool gets exhausted. In our environment, we rarely have more concurrent users than the number of public IP addresses in the pool, so this may provide a better user experience overall (-we have more than 50 users with VPN access, but never have more than 5 concurrent users). Additionally, from the administrator's point of view, it's very easy to add/remove addresses in the pool, even temporarily, by simply adding/removing them in the "db" file. (On the other solution, one would have to re-distribute public addresses and re-create iptables NAT rules to best leverage available IP addresses in cases of expanding or decreasing the pool.) We also store all private-public address associations (at any one time), to satisfy traceability needs. I have put together above just my 2c. I am sure in this mailing list there are people more experienced than me so they might provide more useful and/or insightful comments than I did. I have posted my solution in case it might be useful to someone/anyone, but also in order to get feedback. All the best, Nick ------------------------------------------------------------------------------ _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
